OSNews: http://www.osnews.com/story/24827/RSA_Admits_SecureID_Tokens_Have_Been_Compromised
Exploring the Future of Computingen-usCopyright 2001-2017, David Adamsadam+nospam@osnews.comThu, 14 Dec 2017 03:48:10 GMThttp://www.osnews.com/images/osnews.gifOSNews.comhttp://www.osnews.com
let's hope we can get rid of those keyshttp://www.osnews.com/thread?476340
http://www.osnews.com/thread?476340I really hate those keys. All banks use a similar system linked to your bankcard to login but KeyTrade has these RSA keys.

So you need to enter like dozens of keys and codes just to login. In the end you just write it down on a piece of paper next to the PC just to remember the stuff. Bye security!

I always forget how to use these, such a PITA, I do hope this is the end of these keys.Edited 2011-06-07 17:29 UTCTue, 07 Jun 2011 17:29:00 GMTdonotreply@osnews.com (stofke)CommentsRE: let's hope we can get rid of those keyshttp://www.osnews.com/thread?476366
http://www.osnews.com/thread?476366

In the end you just write it down on a piece of paper next to the PC just to remember the stuff. Bye security!

Obviously, you're referring to something different - that is not how RSA's SecurID works. There's nothing you can write down, the key value shown on the display changes 30 seconds or so, and this is synchronized with a server-side key value that also changes at the same time.

That is PRECISELY why these keys exist, so that users must have them in their possession to be authenticated. That's the generally-accepted definition of two-factor: authentication by something you know + something you have.

Edit: Re-reading your post, I think I understand why you don't get it... you keep trying to write down the key and re-use it again? um... no.Edited 2011-06-07 21:01 UTCTue, 07 Jun 2011 21:00:00 GMTdonotreply@osnews.com (umccullough)CommentsRE[2]: let's hope we can get rid of those keyshttp://www.osnews.com/thread?476391
http://www.osnews.com/thread?476391

That is PRECISELY why these keys exist, so that users must have them in their possession to be authenticated.

Well, that's the theory, at least. But it somewhat falls down if someone manages to get hold of the random seeds that the hardware keys work off, as the article suggests has happened...Tue, 07 Jun 2011 22:03:00 GMTdonotreply@osnews.com (Delgarde)CommentsRE[3]: let's hope we can get rid of those keyshttp://www.osnews.com/thread?476401
http://www.osnews.com/thread?476401

"That is PRECISELY why these keys exist, so that users must have them in their possession to be authenticated.

Well, that's the theory, at least. But it somewhat falls down if someone manages to get hold of the random seeds that the hardware keys work off, as the article suggests has happened... "

Yup, good thing those people should *also* have a strong password that must be brute-forced -- and if they used public/private key challenge/response in combination with the securid tokens, that could be a pretty big hurdle to overcome for someone who was only able to compromise one of the two methods.

In theory, with two-factor authentication, you can more easily identify when one of the two mechanisms has been compromised before the other one can be brute-forced.

Anyhow, I don't care all that much - RSA isn't one of my favorite "security" companies.Tue, 07 Jun 2011 22:52:00 GMTdonotreply@osnews.com (umccullough)Commentskeys + third partieshttp://www.osnews.com/thread?476415
http://www.osnews.com/thread?476415The lesson to be learned here is that it is unwise to rely on a third party (RSA) to manage the security of inhouse systems.

In general I actually think one time key generators such as RSA's are a good idea. But not if a third party keeps a copy of the keys.

This may sound obvious, but people don't always realize the number of entities who have keys into their system.

In theory, since oracle has control of java updates, they could install backdoors to perform corporate espionage. This may be far fetched, but it is not implausible.

The firefox guys could use FF update to plant bugs, so could chrome. (Hmm, google has a known history of doing this anyways, so it's less of a conspiracy with them.)

MS could do the same thing.Wed, 08 Jun 2011 01:33:00 GMTdonotreply@osnews.com (Alfman)CommentsRE: keys + third partieshttp://www.osnews.com/thread?476513
http://www.osnews.com/thread?476513The lesson to be learned here is that it is unwise to rely on a third party (RSA) to manage the security of inhouse systems.

The only thing worse is doing it in house :-)Wed, 08 Jun 2011 19:19:00 GMTdonotreply@osnews.com (AndrewZ)CommentsRE[2]: keys + third partieshttp://www.osnews.com/thread?476541
http://www.osnews.com/thread?476541AndrewZ,

"The only thing worse is doing it in house :-)"

Haha, well maybe.

But it is extremely troubling that RSA kept the keys (or pseudo random key generator) in the first place.

What legitimate purpose does RSA have to know the keys on their customer's systems (whether they're a trusted party or not)?

If I understand the incident correctly, this leak would not have been possible if RSA had disposed of it's keys after sending them to the customer. This sounds like gross negligence.Thu, 09 Jun 2011 01:36:00 GMTdonotreply@osnews.com (Alfman)CommentsRE: keys + third partieshttp://www.osnews.com/thread?476620
http://www.osnews.com/thread?476620I guess another thing to take away is not to use secret sauce security, especially the kind that relies on some single, centrally managed secret.Thu, 09 Jun 2011 16:34:00 GMTdonotreply@osnews.com (Soulbender)CommentsRE[2]: keys + third partieshttp://www.osnews.com/thread?476714
http://www.osnews.com/thread?476714Soulbender,

"I guess another thing to take away is not to use secret sauce security, especially the kind that relies on some single, centrally managed secret."

You are right, but good cryptography doesn't rely on secret sauce, only secret end user toppings (gosh, I'm not feeling the analogy).

The attacks were certainly newsworthy, but I hope that RSA does more than just fix the leak. I hope they scrub the customer keys from their systems.Fri, 10 Jun 2011 01:43:00 GMTdonotreply@osnews.com (Alfman)Comments